CVE-2026-45989
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel PCI Device Tree Overlay

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in testdrv_probe() The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer 'dn' is passed to of_platform_default_populate(), leading to a use-after-free. The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45989
EUVD
EUVD-2026-32285
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.6 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's unittest component, specifically in the function testdrv_probe().

The function testdrv_probe() retrieves a device_node from a PCI device and applies an overlay. It then incorrectly calls of_node_put(dn), which releases the reference held by the PCI core. If this reference count drops to zero, the node can be freed prematurely.

Later, the same freed pointer 'dn' is used again in of_platform_default_populate(), causing a use-after-free condition.

The root cause is that the driver erroneously releases a reference that it does not own, leading to premature freeing of the device node.

Impact Analysis

A use-after-free vulnerability can lead to undefined behavior in the kernel, including system crashes, data corruption, or potential escalation of privileges if exploited.

Because this issue occurs in the Linux kernel, it may affect system stability and security, potentially allowing attackers to execute arbitrary code or cause denial of service.

Mitigation Strategies

The vulnerability is caused by an erroneous call to of_node_put() in the testdrv_probe() function, which prematurely frees a device_node pointer leading to a use-after-free condition.

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that removes the erroneous of_node_put() call from testdrv_probe().

If you maintain your own kernel builds, update the kernel source to the patched version or apply the patch that removes the premature of_node_put() call.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45989. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart